Feature to track data about hardware wallets and installed applications has been discovered in Ledger Live

What’s new? Ledger Live software for Ledger hardware crypto wallets tracks data about users and applications installed on their devices, a developer under the nickname @rektbuildr reported on his page in X, based on the results of the program’s code research. According to him, Ledger Live activates authentication when interacting with applications installed on the wallet, which prevents anonymous use of the device.

Source: Twitter.com

What else is known? The developer said that device authentication is embedded in the listApps subroutine, and when you try to disable remote tracking, the program starts working incorrectly. Thus, Ledger captures every time the device is turned on and knows what applications are running on it.

“Hardware wallets should work 100% offline. No phoning back anything at all. It’s crazy that we have to be discussing this in 2023 but here we are,” @rektbuildr emphasized.

He also noted that Ledger recently implemented a private key recovery feature, parts of which are deposited with third parties, and wondered how the company can ensure that this data is protected from being read by unauthorized parties.

The developer emphasized that he does not want to spread panic (FUD), but also urged not to upgrade Ledger Live to a newer version if users are happy with the current one.

He also believes Ledger should allow experienced users to work with fully standalone devices by making the ability to use Ledger Live optional.

Earlier this month, hackers exploited the Ledger Connect Kit Javascript library to connect websites to Ledger’s hardware wallets. The company patched the vulnerability and assured that the attack did not affect the integrity of Ledger or Ledger Live hardware and only affected third-party decentralized applications (DApps) that used the library.

Ledger later reported that users lost $600 000 due to the blind signing mechanism vulnerability. The company pledged to reimburse the losses and replace the mechanism of interaction with DApps with a fully transparent one by June 2024.